Major Source of Online Scams and Spams Knocked Offline

A U.S. based Web hosting firm that security experts say was responsible for facilitating more than 75 percent of the junk e-mail blasted out each day globally has been knocked offline following reports from Security Fix on evidence gathered about suspicious activity emanating from the network.

For the past four months, Security Fix has been gathering data from the security industry about McColo Corp., a San Jose, Calif., based Web hosting service whose client list experts say includes some of the most disreputable cyber-criminal gangs in business today.

On Monday, Security Fix contacted the Internet providers that manage more than 90 percent of the company's connection to the larger Internet, sending them information about badness at McColo as documented by the security industry.

On Tuesday afternoon, I heard back from Global Crossing, one of McColo's major Internet providers. Their spokesman declined to discuss the matter, except to say that Global Crossing communicates and cooperates fully with law enforcement, their peers, and security researchers to address malicious activity.

Two hours later, I heard from Benny Ng, director of marketing for Hurricane Electric, the Fremont, Calif., company that was the other major Internet provider for McColo.

Hurricane Electric took a much stronger public stance: "We shut them down," Ng said.

"We looked into it a bit, saw the size and scope of the problem you were reporting and said 'Holy cow! Within the hour we had terminated all of our connections to them."

As of this writing, McColo's Web site is no longer available. In fact, I pinged no fewer than three different researchers who have tracked activity at McColo for many months: None could find a single Internet address assigned to the hosting provider that was still reachable.

Officials from McColo did not respond to multiple e-mails, phone calls and instant messages left at the contact points listed on the company's Web site before the site was taken offline.

There's more to come with details about this story later tonight or early tomorrow, but I wanted to get this post published before we got scooped on our own story.

Nice work! Another reason we need a fearless and unfettered press. We'll never know how much misery you've saved people, but with the government busy with other things, it's nice to see you make a difference in such a positive way.

Fine work, Brian. It is distressing, however, to see Global Crossing's response. Even a common carrier has a responsibility to society to help stomp out child pornographers and identity thieves. To look the other way is to be complicit in such criminal activities.

That said, my fear is that some morally bankrupt host in the former Soviet block or China will happily take McColo's sleazy business.

Brian - Well done, and well reported.
For the user who asked about reporting news versus creating news, you misunderstand Krebs's reporting. Like most good reporters who write big stories, he either got tips or analyzed data regarding spam and cyber-security. It probably was a combination of both. If he determined from his research, reporting and analysis that this data was coming from one place, he did not create a story by informing the spam host's business partners. Rather, he sought comment from them about this site, and they took action.
What Krebs reported is not a big a story as Watergate, but what do you think Woodward & Bernstein did? Wait for a press release? A regulatory filing? No, they took one news event, worked backwards from it, and determined that something big was going on -- just like a spammer. Then they wrote about it, just like Krebs did.
When Henry Blodget on Silicon Alley Insider wrote that The New York Times Co faces several possibilities for survival, he did not tap into a planned news event. He analyzed a balance sheet and made conclusions.
Much of the news that comes out is because beat reporters see connections and draw conclusions that are not opinion, but reasoned and accurate viewpoints based on evidence out there that resists coalescing into a larger news event because most of us don't get it. That's why we have journalists, and this is a great example of that.
And now for the full disclosure: I'm Robert MacMillan. I am a reporter at Reuters who covers the journalism business, and I worked at washingtonpost.com for many years with Brian. I sat right across from him so I know what he eats for lunch.

Well, don't discount any actions that may or may not have been taken by Global Crossing. When we first wrote about the badness at Atrivo, Global Crossing was the first of their many upstream providers to pull the plug. They just never told anyone till after the entire network was dark.

Secondly, if you trace some of these McColo IPs that were once downstream of Global Crossing, you will see that they now die inside of GC, which indicates the company is doing some sort of filtering on those IPs (there is no indication yet that they have dropped McColo entirely from their routing tables as of yet, but this could change soon).

Things like this and the FBI's "Operation Bot Roast" are what give us internet users the hope that we won't have our life savings, oour good name, or our kids stikeb from us by criminals.

And if you know anybody at the FBI, or if they're listening - which might not be a bad thing, given some of the fine folks that post here - I have a Thanksgiving Request - "More Roast Bot, Please!"

We're hungry for a solution the the problem of spam which we find very distateful.

A steady diet of arrests of Hackers and tender, jucy press releasees about their arrest will keep us all well fed.

Arrests, seasoned with a heaping helping of media coverage, of people who steal over the internet or turn people's machine's into bots would be especially delicious.

We're always really hungry for it.

These are really bad guys.

If you're 100% sure of who you've got, and it has to be 100% in this case, we won't mind if you give them the treatment that more conventional "blue collar" criminals receive, especially when they are taken and held for questioning.

These guys are criminals and should be treated that way, but for God sakes, guys, please, please make sure you've got the right guy.

Anyway, Brian, we, your readers, would love to see you do a book like "The Cuckoo's Egg", and I bet you'd enjoy going on John Stewart and Steven Colbert.

Anyway, Thanks again, and please keep taking down the bad guys.

Maybe you can get some bright computer scientists to work with you to automate what you did (or write the code yourself) so you can take down bad guys in bulk, taking down the next smaller bad guys and the next ones after them and so on.

If you could cut spam down to 10% of what it is today, Obama should buy you lunch and a medal to go with it.

Good gracious, Robert. Nice to hear from you and thank you so much for the kind words.

Robert is being self-deprecating as usual. He was my editor for several years, and of course knows quite a bit about this business.

I believe he's spot-on about one thing in particular: I'm not breaking news so much as aggregating what people a lot smarter than me have already said but in disparate and far flung forums. The real credit for this should go to the unsung researchers and security experts who are forced to wade neck deep in this crud every day.

You are way too modest.
You've done something truly amazing.
If someone would have told me that taking down a single company could cut down on spam by 75% I would never have believed it.
I'm serious about the stuff in my post.
Anything you can do so that we can have anti-bot bots or any other automated system would be great, and I bet you've got more than enough material from this story or this plus some others to make a really interesting book!

This is, of course, great news. But I am afraid the fact that they shut down does not prevent them from popping up someplace else with a fresh new name, fresh new IP addresses and the same old client list. The key will be in following them around and keep shutting them down. Then they will probably go outside the USA. This is simple a small respite. If their is a profit to be made they will figure out how to keep popping up. But until that day I will enjoy this victory and hope it lasts at least a few weeks. The harder (and hence more expensive) the large ISP's make it for them to come back online the sooner we will be rid of them.

Second: since you have managed to make contact with Global Crossing, you may want to remind them that people like me have also been reporting a diploma mill phone number which they are also the provider for (718-989-5740). It's been prolifically spammed since May of this year and they have never, ever responded to a single complaint about this number. Fake diplomas are a definite scam. (Would you like to be operated on by a "surgeon" who had one of these?)

I run a very small domain of users and for the past month have been following the *small* (40 - 60k per day) selection of junk inflow to it. I can not only say that I have not noticed any reduction over the past several days but it has grown slightly over the past 3 days. Still, that is no reason not to cheer the removal of such scum, even if only temporarily, from the net.

If they do manage to flee to some 3rd world hole I would think that pressuring hi level provider to stop peering would be a route to go to keep them shut down.

It's sad that it takes a major newspaper like the Washington Post raising alarms before the major upstream providers like GBLX and HE will kick folks like McColo off the internet, but good going Brian. It's good to see tech journalists taking their responsibility to investigate and inform seriously and actually accomplishing something for the public good.

To echo the sentiments of others, where is the government? We hear a lot about our armed forces and intelligence agencies scrambling to mount a "cyber defense", but they're not paying attention to places like McColo which are pulling the strings of massive botnets that could potentially be used to mount the same kind of attacks they claim to be concerned about.

While this is a good short term improvement the result of this are completely useless...

Let me explain why.

These perpetrators will simply move to other networks and become more disperse and harder to track.

NO individuals or named organizations where identified in this report

NO intelligence was revealed to identify and LAMBAST them in the court of public opinion

I saw NO law enforcement arrests. For the type of activity you a describing it would be a big RICO case. I think its a travesty that law enforcement has not used RICO laws to prosecute organized cyber operations of the scale and scope that is occurring today.

The penelties that are currently being meted out by our courts are a freaking JOKE
Big guys with major crimes get like 4 years or less. Even with the most egregious of ID theft, intellectual property theft and spying.

I see NO evidence of organizational infiltration to get intel on the bad actors, conduct sting operations, the luring and aprehension of suspect bad actors, the Arrest and Leaning on suspects to roll on their superiors of the network similar to how they do it in organized crime and drug networks.

Until you start treating cybercrime like real crime alot of this stuff is neat from improving the Cyber world by temporarily dispering the activity and allowing researchers to observe and monitor elsewere and report on new trends.

NO evidence of using cyber methods aside from research to exploit, and attack malicious cybernetworks, identify their drop sites, and attack their systems.

If you want advice on how to really make an impact contact me zeberlein_michael@hotmail.com

This action really points to the need to establish an international "Internet Use Commission" armed with enforcement powers and agreed-up rules of RAPID action to regulate the Internet in order to provide fair, free, and unabusive service to the entire world. Preserve neutrality? Yes, by all means, but serious regulation is as badly needed here just as much as it is now obviously needed in the stock markets and financial markets as well.

The unfortunate truth is that as indicated by others in previous post, these
criminals will likely move on to other hosting providers who may be less
inclined to take proper action.

This is where I hope you will help by passing along some very important
information to your readers and asking them to become INVOLVED.

As you may know ICANN (the people who REGULATE Domain Names & Numbers) is currently reviewing policy regarding Registrars (the people who SELL Domain Names). The current policy requires anyone buying a domain name to provide "complete and current contact information" and that is good, but it
leaves enforcement of this policy to the REGISTRARS... duh????

MAN OF THE REGISTRARS THEMSELVES ARE ANONYMOUS...

A number of REGISTRARS are operating with INVALID or FALSIFIED contact information, some only show a Postal Drop Box, while others work off of an e-mail address and provide no valid way for law enforcement or anyone else to reach them.

A number of these REGISTRARS have CONNECTIONS to PROVEN CRIMINALS, some with OWNERS/CEO's that have been convicted of various cyber crimes (child
porn, drug sales, identity theft etc.)

The existing policy is as effective as leaving the fox to guard the hen
house...

You and your readers can help change this by sending a "polite letter or
e-mail" to ICANN, "insisting" that the REGISTRAR ACCREDITATION AGREEMENT be Updated, or Amended to include language similar to the following:

"All Accredited Registrars must submit main office location, including
country, to be publicly disclosed in ICANN web directory. Post Office
boxes, Incorporation addresses, and mail-forwarding locations will not be
acceptable. Registrars must also provide for public display the name of CEO
or President. ICANN must be notified within 30 days of a location or
presiding officer change.”

You can find postal and e-mail addresses for ICANN on their website
ICANN.org

Once again Brian...

THANK YOU for helping to expose this criminal activity. I have been reporting this type abusive activity to Hurricane and other host for a very long time and am convinced they (Hurricane) took much swifter and decisive action because you presented the evidence and they knew it was going to go public.

I know I'm not be popular with this position but, if anyone can shut off Internet communications unilaterally without the benefit of a judiciary process, then freedom of speech is at risk. Like it or not, spam is a part of speech. You may find the content reprehensible and disturbing but, it is still speech and people have a right to speak. The other half of free speech is the freedom to listen or to choose to not listen.

How would I deal with something like spam? I would look for a distributed, nondiscriminatory solution that increases the opportunity cost for spammers so through a natural economic mechanism, their activity becomes unprofitable. Take a look at hashcash.org for one of the components. Used properly with a reputation engine, there is little or no affect on legitimate users but a very large effect on spammers and commercial advertisers. If you want to talk about it, you can find me on the hashcash mailing list.

thanks - what makes ME want to vomit is how many people apparently justify dishonesty,distortion, deception and really, whatever they damn well please under the guise of "business" or making money. GROSS. WHAT is WRONG with these sick, messed up "people"???? Are you so disgustingly self centered, selfish and greedy, are you SO desperately in need of material things and $ that you feel it's okay to do whatever you WANT and SCREW whomever you please? its SICK. Be GLAD you don't encounter ME, because MY wrath and fury would be significant. Cease and desist! be honest! HELP other people, don't HURT them! it's just so blatantly obvious. Hard to believe people like this walk around able to even live among us and meet our gazes and hold their heads up. SICK, sick sick. YECCCH.

While I congratulate Brian for executing his ability as the "third" force, making law enforcement and ICANN look as the "toothless nannies" they seem to be, the problem will NOT be solved until much needed laws are being set up. We will see russian cybercrime take its beatings but their money laundering has already gone further than any LE would allow himself to dream in his worst nightmares: they are opening banks, issuing creditcards and are undermining the industry in such a big scale, that there is no more way out!

As long as LE is looking the other way, as long as the organized crime structure is not fully investigated, as long as terrorism and child porn are the only issues where LE jumps in, as long as e-commerce is being let loose as it is, we will not see a change! McColo will be back under another name, ICANN will take money from russian cybercrime mafia members for top level domains and drink their champaigne on the parties they are invited to...business as usual....

esj1 - Your defense of the First Amendment is admirable, but I believe it is slightly misinformed.

In my understanding (and I'm sure someone will correct me if I'm wrong), what McColo did was not simply "spam" in the sense of sending out unsolicited e-mails. Its activities included hosting and perpetuating illegal and dangerous activities, including viruses, worms, etc., fake pharmaceuticals, fraudulent products and possibly child pornography. Companies like Global Crossing and Hurricane Electric are well within their rights (and some would say are morally obligated) to "unilaterally" turn off access if their services are being used for illegal activities.

Were McColo simply "speaking" it would be one thing. But using bots and e-mail to hijack computers, steal information, sell fake and dangerous products and so on is not covered under free speech.

What's with people claiming that spam is some sort of free speech right? Sending spam is no different than breaking into the Washington Post's computers and putting in an ad, even without the spammer committing any explicitly illegal acts.

(Which isn't to say there's much spam out there where the spammer is that straightforward. They almost invariably forge headers, spam through zombies, sell prescription drugs without a prescription, etc.)

Wouldn't Global Crossing be leaving itself open to a class-action multi-billion dollar suit if it fails to shut off McColo after it has been given evidence that it is a problem child? It seems like every major (and minor) company in the nation would be on board that one. Very dangerous game they are playing.

If you aren't a technology guru (and working in IT doesn't make you one, or managing technology for that matter) then you have no competence nor business advising people on how to solve this problem. The 'I have the answer' people are almost exclusively incompetent in these matters. Half of them are benefiting from the spam-or benefiting from 'fighting it'. You can't fight spam. It doesn't work like that. The best you'll ever be able to do is avoid spam in the first place. This reduction in spam isn't real-even if some people happen to see some temporary reduction. To avoid spam you have to be competent and NOT give out your email address in the first place. Using throw away addresses like mytrashmail, or forwarding addresses unique to each person you give your address to works better in that you can disregard mail from addresses where you start receiving spam without effecting the ability to receieve mail. You also need to realize how spamers get your email in the first place. They it when you post your email address online in a text format. For instance these posts should not contain anybodies email. If you are posting your email here and think you have the solution to spam you are an idiot. Pure and simple. Any by the way having a Hotmail account just furthers the sterotype Microsoft users are technically incompetent. It might be true... but lets stop propigating it as I'm sure there must be at least a handful of people who don't fall under that sterotype. Posting an address that spammers can't easily harvest is esential to posting an address on a forum and not getting on spamers lists as a result. Here is a better way to do it "If you have information for me, please email it to john.doe at hotmail dot comy minus the y. "

Even I see a decline in spam today. Isnt it weird, that Brian has to call the connecting hosters to make them shut down mccolo?

Wouldnt it be time to investigate the kickback payments to the upstreamers who can charge for the bandwidth? Since we all know that spam is NOT generating income by idiots clicking on it, why doesnt anybody investigate the generated bandwidth issue?

Somebody is making money because of the spam bandwidth....lets find out who it is.

Lets hope the new spam-hosting setup will be identified soon and this can be repeated quicker.

I am so happy, I don't like anyone that wants my money.
I would very much to still be able to see porn on my internet.
why is there any problem with seeing think that i want?
child porn was how my life began, I like to see others, what could be wrong with that?
the taking of of ones cloths and touching is what life is all about, the people that take money from other people are the crime

I can only hope that 'perfspot' was one of these. they can into my inbox but always say that i was out of thier area because i choose to live in the philippines. they only wanted money from people that where in side the boarders of the usa, because then they could do bad to my bank account